Applies to: Centrify DirectControl on all versions of OS X
AD users are able to login successfully once on a Mac, but subsequent login attempts produce the following message:
An account conflict has occurred. There is an identical Active Directory with conflicting name (No RecordName). Please see the Account Migration Tool for help.
This message can be seen for both Desktop and command-line logins (whether via Terminal or via SSH).
Account Migration is NOT in use and there are no duplicate accounts in any of the Zones and no conflicting local accounts of the same name.
Listing out the local user record with the Terminal command:
dscl . -list /Users
..also shows no conflicting entries, but does return some empty records as:
-- "No RecordName"
-- "No RecordName"
It was found that the Mac was using the workaround script found in the following KB:
The script in this KB can only be used with Mac systems where AD users will be immediately converted to Mobile Accounts on the system. If a regular AD account logs into the Mac as a Network Account, then their user record may become inadvertently made locally read-only on the Mac and the user won't be able to log in a second time.Note:
Although the error message mentions Account Migration, the core issue is actually unrelated to migrated accounts. However, the message may also appear if the above KB was implemented and then account migration performed (which is strongly not recommended).Resolution:
- Login to the Mac as Local Admin, open the Terminal and run the command:
sudo ls -l /var/db/dslocal/nodes/Default/users/
This will return the list of local records on the system as plist files.
- There should be a plist with the corresponding username of the "stuck" account.
- Delete the stuck user plist using the command:
sudo rm /var/db/dslocal/nodes/Default/users/stuck_username.plist
- Repeat for any other "stuck" usernames in the list, then run:
sudo adflush -f
- Logout and try to login with the target account, it should now succeed.
- Immediately convert the user to a Mobile Account either manually, or via GP.